Assessing Risk

00:00

Hello, Cyber A card Sharks and risk takers. Welcome back to the implementing a HIPPA compliance program for leadership. Siri's. We're in this lesson. We're gonna focus on risk and specifically, how are hipper. Program must adopt, implement and maintain a risk assessment program. So if you're ready to jump out of a perfectly good airplane, let's take a skydive, and our organization begins to assess risk

00:19

to privacy and security of our protected health information.

00:23

So, in other words, first and traveling 200 MPH without a spare backup parachute, we will identify the primary challenge for every organization when it comes to their security program defining and assessing risk. We will talk about how the hippo standards require are covered entity to maintain a risk management program from documenting our risk management program,

00:40

training our employees on risk to testing our program through practice run throughs.

00:43

Well, we're gonna call those tabletop exercises. We will review the core concepts of a risk management framework, and then we will cover two primary milestones of to roll out our risk program, assessing ourselves regarding risk, and then how we test our program to make sure it meets all the requirements and goals of the hippest standards. So let's jump right in

01:00

and avoid hitting any of the risks associated with jumping out of a plane headfirst,

01:03

like hitting birds, hitting fellow skydivers and making sure that we remember to pack our shoot right.

01:08

So hands down. One of the most fundamental problems or questions network security and information managers fail to answer when they walk into the room is being able to answer the question. What are you trying to protect? We have talked about this before, but the principle of five nines is really only a theory. A construct, a philosophy, A best practice. I like to say everyone wants five nines, but they can only afford nine threes.

01:27

Our organization has only so much budget,

01:30

and so because of that, we have to apply our controls where the risk is where it costs us the most in financial capital in human capital when things go wrong. So we have to be very diligent and identifying and defining the threat story information systems and then, based on those threats, identifying a prioritizing risk, we aren't going to put $100,000 control on something where the risk to us as $1000

01:49

but we might put $100,000 control on a million dollar risk,

01:53

either in losses to our equipment, our recovery or the loss of data, even our reputation. We have to assess the risk to our organization and classify the risk based on the criticality and likelihood to the business. We then have to minimize the risk everywhere we can be administrative, physical and technical controls.

02:08

So the hippo security rule doesn't mandate or prescribe specific methodologies that must be performed to analyze her immediate risks. Instead, it identifies foundational elements and objectives that we will cover here shortly.

02:20

But one of the primary requirements of the security rule is that your organization must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of E. P. H. I held by the covered entity.

02:32

The office of the National Coordinator for Health Information Technology, O N. C. H. I. T. Publishes what it calls the hip a security risk assessment tool. RSR A tool is a guide to helping a health organization performer risk assessment a bunch of checks against the administrative physical and technical controls an organization.

02:50

Another guideline often used is the NIST Special Publication 830

02:53

Guide for Conducting Risk Assessments. Doesn't matter what your organization uses, just as long as you have a processing your security program for analyzing risk and the or implementing reasonable and appropriate security measures to protect your pH. I from threats

03:08

so hip it doesn't tell you how you're supposed to manage risk, but it requires you to perform risk analysis and to maintain a risk management framework. So what's the risk management framework you ask? Well, you could break it down like this. Keep track of what you have to find the importance of what you have. What is the risk to the organization If you no longer have that asset or that service

03:25

document via a matrix, the assets, it's criticality rating. It's risk rating

03:30

and what mitigating controls are in place to minimize the risk to your organization. In a separate document, identify all of the organizations known yet accepted risks and those risks where the responsibility if something goes wrong as another entity, such as an insurance company, we're not protecting the bosses company car from thrift by putting it in a parking lot surveillance system.

03:49

We are instead ensuring it

03:50

in case it gets stolen. And maintain a list of your entities. Business partners. The status of your mutual business partner agreements, what assets your business partners have access to, and they're signed and agreed to acceptable use policies and data sharing agreements.

04:02

So the good news, especially for small to medium sized health organizations, is that the office of the National Coordinator for Health Information Technology and Partnership with the U. S. Department of Health and Human Services Office for Civil Rights OCR, has made the process of performing risk analysis, if not an easy process, at least a lot easier than trying to figure it out on your own and where to start.

04:23

The federal government has created what they call the security risk assessment tool or are a tool

04:27

SRE Tools hosted on the website and as a free Windows based application that could be installed locally on an end user's computer. Three s are a tool is a wizard based workflow with summary reporting that provides in users with feedback and progress indicators as they work through the security assessment for their organization.

04:44

The S. R. A tool allows organizations to track assets current

04:46

UH, encryption levels for assets business associates and risk the sorry to A seven sections. Security management processes, policies and procedures. Managing access to systems and workforce training, technical security procedures, physical security procedures, business associate agreement and contingency planning, data backups and data recovery plans.

05:05

The are a tool takes you through each of these sections by presenting questions about your organization and its activities.

05:12

And based on your answers, it will show you the necessary corrective actions. And for corrective action is suggested. The tool provides guidance on the related HIPPA rule requirement in suggestions on how to improve following each assessment section. The tool prompts you to select applicable vulnerabilities and rate associated threats in terms of likelihood and impact to determine your risk level.

05:31

So one of my favorite activities and security or table top exercises. You notify the team to grab their coffee and come to the conference room when they get there. You notifying that that a disaster event just happened? Well, pretend, of course, but to the organization and to grab their business continuity and disaster recovery plans and hurry back because we have to get a critical systems back up on operational.

05:50

And it is so fun to see the fear and quite often, anxiety because the stress levels of the employees in the room

05:56

just realize that they're not going to get a thing done. And they're gonna be behind all day because of the stupid exercise. Well, that eventually changes to excitement, to show how they can help and how much they know about business continuity. Because they memorized the plan, they've gone through it themselves on their eager and willing to help. Really fun to watch that change. Well, now it's time you planned the work.

06:15

Now it's time to work. The plan on going Another great practices your risk management program to keep your employees up to date

06:19

and aware of the threats and risks out there and always be prepared. Use things like flyers and notices with helpful and friendly awareness tips that you can put in the elevators, break rooms, restrooms, etcetera and as your organization grows and new technologies and services air adopted and legacy solutions were phased out. Ongoing employees and business partner training has to be performed.

06:41

So now that we've jumped out of a plane. We need to see if we can land without wrapping ourselves up in electrical power line. So can you name three of the seven sections evaluated The O N C H I T. Security risk assessment tool. So hit pause. Take a good look around because this is the last time very likely that you're ever going to see the world. And then when you're ready,

06:59

let's hit resume and we'll come back to our answers.

07:00

So

07:02

what are those answers? Well, those seven different sections of the s r. A tool is that it is going to review our security management processes, policies and procedures, managing access to systems, technical security procedures, physical security procedures, business associate agreements and our contingency planning. And then it's gonna help us

07:21

evaluate the risks based on our answers and give us even. Cem recommended remediation based on how we respond.

07:28

Really cool. It's free, and we can download it from the O. N. C. Really good stuff.

07:33

So in today's lecture, we jumped out of a perfectly good plane to get a better understanding of risk and how a security program must have processes and procedures to assess risk and minimize risk specifically to our e p h i systems in our e p h i data repositories. We learned that one of the most difficult challenges for most organizations out there

07:49

is to be able to define risk and to properly understand what they're trying to protect.

07:54

I'll give you an example. We know we have to protect Ph I, but we're clueless on where it all is. R P H. I could be spread all over the place, from personal computers to paper file records to data stores in our data centers cloud even in our employees on sanctioned dropbox. So you get the idea. Assessing your organization's risk is a really big challenge.

08:11

And we hope that learning about the RNC's free Saara tool and the use of tabletop exercises and employee training

08:16

we'll help you and how you will assess risk in your own organization.

08:22

So thanks for joining us today. Our next lecture is gonna be reviewing the hipper requirements of your organizations need to have systems hardening and device vulnerability management program. So until then, on behalf of all of us here at cyber teaching assistants, instructors,